CVE-2026-58116
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk40th percentile — higher than 40% of all known CVEs
Summary
LLaMA-Factory through version 0.9.5 contains a remote code execution vulnerability that allows attackers with WebUI access to execute arbitrary Python code by supplying a malicious model path in the Chat or Training interfaces. The application passes user-supplied model path input unvalidated into AutoTokenizer.from_pretrained() and AutoModel.from_pretrained() with a hardcoded trust_remote_code=True parameter, causing the Hugging Face transformers library to fetch and execute arbitrary code from a remote or local model repository with the privileges of the server process.
Risk Assessment
An attacker can take over the server, steal data, install malware, or disrupt service operations using the full privileges of the server process.
Recommendation
Immediately update LLaMA-Factory to a version newer than 0.9.5; if not available, restrict WebUI access to trusted users and validate all model paths before use.
Original NVD description (English source)
LLaMA-Factory through 0.9.5 contains a remote code execution vulnerability that allows attackers with WebUI access to execute arbitrary Python code by supplying a malicious model path in the Chat or Training interfaces. The application passes user-supplied model path input unvalidated into AutoTokenizer.from_pretrained() and AutoModel.from_pretrained() with a hardcoded trust_remote_code=True parameter, causing the Hugging Face transformers library to fetch and execute arbitrary code from a remote or local model repository with the privileges of the server process.

